Here's an article for Netskope on blocking Base64 encoded sensitive data using custom regex, along with the step-by-step DLP policy creation process.

Blocking Base64 Encoded Sensitive Data with Netskope DLP: A Step-by-Step Guide

In today's cloud-centric world, organizations face the persistent challenge of preventing sensitive data from leaving their control. While traditional DLP solutions are effective against clear-text data, a common evasion technique involves encoding sensitive information, particularly using Base64, to bypass detection. This article will demonstrate how Netskope's powerful DLP capabilities, combined with custom regular expressions, can effectively block the sharing of sensitive data transformed into Base64 encoded strings.

The Challenge: Evading DLP with Base64 Encoding

Base64 encoding is a method of representing binary data in an ASCII string format. While legitimate for many purposes, it can be misused to obscure sensitive information like credit card numbers, social security numbers, or confidential documents, making them appear as innocuous strings of characters. A standard DLP policy looking for specific patterns in plain text might miss these encoded forms, creating a significant blind spot.

The Solution: Custom Regex for Base64 Encoded Data

Netskope's DLP engine allows for the creation of highly specific detection profiles using custom regular expressions. By crafting a regex that matches the characteristics of Base64 encoded strings, especially those of a certain length that would likely contain sensitive data, we can effectively identify and block these attempts.

For this guide, we will use the following custom regex:

eA-Za-z0-9+/]{40,}={0,2}

Explanation of the Regex:

• eA-Za-z0-9+/]: Matches any uppercase letter, lowercase letter, digit, plus sign (+), or forward slash (/). These are the standard characters used in Base64 encoding.
• {40,}: Specifies that the preceding character set must appear 40 or more times. This length threshold is crucial. Base64 encoding expands the data size by approximately 33%. A minimum length of 40 characters ensures we are looking for potentially significant chunks of encoded data, reducing false positives from very short, harmless Base64 strings.
• ={0,2}: Matches zero, one, or two equals signs (=). Base64 encoded strings are often padded with one or two equals signs at the end to ensure their length is a multiple of four.

This regex is designed to identify Base64 encoded strings that are long enough to likely contain sensitive information, while accounting for the standard padding characters.

Step-by-Step Netskope DLP Policy Creation Process

Now, let's walk through the process of creating a Netskope DLP policy to block Base64 encoded sensitive data using our custom regex.

Before you begin: Ensure you have appropriate administrative access to your Netskope tenant.

Step 1: Navigate to DLP Policies

1. From the Netskope UI, navigate to Policies > DLP.

Step 2: Create a New Custom Profile

1. Go to the DLP Profiles tab.
2. Click New DLP Profile.
3. Give your profile a descriptive name, for example: Sensitive Base64 Encoded Data.
4. Add a brief description, e.g., Detects and blocks Base64 encoded strings potentially containing sensitive data..

Step 3: Add a New Custom Regular Expression Rule

1. Within your newly created DLP profile, click on New Rule.
2. Select Custom Regular Expression.
3. In the "Regex" field, enter your custom regex: eA-Za-z0-9+/]{40,}={0,2}.
4. For "Match Count," you can set it to 1 or more depending on your strictness. For blocking, even one match is usually sufficient.
5. You can optionally enable "Case Sensitive" if your Base64 encoding consistently uses specific casing (though Base64 is typically case-sensitive by nature for its core characters).
6. Click Save.

Step 4: Save the DLP Profile

1. After adding the regex rule, click Save to save the entire DLP profile.

Step 5: Create a New DLP Policy

1. Go back to the DLP Policies tab.
2. Click New DLP Policy.

Step 6: Configure the Policy Details

1. Policy Name: Give your policy a clear and descriptive name, e.g., Block Sensitive Base64 Encoded Data Sharing.
2. Description: Provide a brief explanation of the policy's purpose.
3. Status: Set to Enabled.

Step 7: Define the Scope and Rules

1. Users/User Groups: Select the users or user groups this policy should apply to. You might start with a test group before a broader rollout.
2. DLP Profile: From the dropdown, select the DLP profile you created earlier (e.g., Sensitive Base64 Encoded Data).
3. Services: Choose the cloud services you want to monitor for this type of data sharing (e.g., Google Drive, OneDrive, Slack, etc.). Select all relevant services where sensitive data might be uploaded or shared.
4. Activities: Select the activities you want to monitor and block. Common choices for preventing data sharing include:
   • Upload
   • Post
   • Share
   • Email (if integrating with email DLP)
5. Direction: Set to Outbound to prevent data from leaving your organization.

Step 8: Define the Action

1. Under "Action," select Block.
2. You can also choose to enable "Alert" to receive notifications when this policy is triggered.
3. Consider enabling "Coaching" or "User Notification" to inform users why their action was blocked and guide them to compliant behavior.

Step 9: Review and Save the Policy

1. Carefully review all the settings of your DLP policy.
2. Once satisfied, click Save.

Conclusion

By following these steps, you have successfully created a Netskope DLP policy that leverages a custom regular expression to identify and block the sharing of sensitive data transformed into Base64 encoded strings. This proactive approach significantly enhances your data protection posture, closing a critical gap that attackers might exploit to exfiltrate sensitive information. Remember to continuously monitor your DLP alerts and refine your regex as needed to adapt to evolving threats and ensure optimal detection accuracy.